Conventionally, a security breach in a network environment such as a compute cluster coupled to one or more other components (e.g. servers, workstations, switches, and storage devices) is detected via the use of special-purpose software that compares a library of known malware to data resident on the components of the network environment (e.g. in the case of malware or exploits) or by detecting a sudden of significant change in network behavior (e.g. traffic spike in the event of a distributed denial of service (DDOS) attack). DDOS detection conventionally involves a human element in the form of experts monitoring network behavior to determine existence of an attack.
However, these conventional approaches to detecting security breach are reactive rather than proactive, often requiring manual or scheduled execution of the specialized software or network analysis. At the time of the analysis, in order for a breach to be detected at least some damage must already have occurred, increasing the likelihood that the breach will have an opportunity to propagate to some degree to other components of the network environment in the interim.
Once a security breach is detected, typically the affected component(s) are isolated from other components of the network environment so that the breach may be addressed without further propagating to other portions of the network environment.
Conventional quarantine-based approaches to resolving security breaches generally incur performance detriments to the network environment. For instance, isolating the breached component in a quarantine renoves the component's corresponding functional contribution to the network environment, e.g. reduced processing power, memory availability, network bandwidth, storage capacity, etc., for the duration of the quarantine. Since existing techniques for detecting the particular type of breach, identifying the source and/or impact of the breach, and resolving the breach are both computationally- and time-intensive processes, the quarantine procedure can result in significant detriments to overall system performance.
In addition, processes being handled by or otherwise relying on the breached component may be compromised or lost entirely due to the breach, particularly when other, e.g. non-breached components, are dependent upon the completion of processes handled by the breached component. These losses further detriment the performance of the system as a whole.
Accordingly, it would be beneficial to provide systems, methods, computer program products and the like which avoid the problems associated with conventional approaches to detecting security breaches in a network environment.